UASF nodes wrongly reporting IP

[piotr_n]

A number of nodes ran from the amazon cloud (all representing themselves as "UASF/SegWit/BIP148/whatever") are wrongly reporting connecting node's IP, putting own in it's place.

I imagine there is a purpose in doing that.

Whoever does it, I just want him to know that he might suffer from some serious issues and maybe it isn't too late yet to consult a doctor.

Below some example IPs.

Code:

34.203.31.60 from /Satoshi:0.14.1(UASF-SegWit-BIP148)/
34.203.31.60 from /Satoshi:0.14.0(UASF-SegWit-BIP148)/
52.60.155.242 from /Satoshi:0.14.1(BIP8; UASF-SegWit-BIP149; UASF-SegWit-BIP148)/
54.194.206.222 from /Satoshi:0.14.1/UASF-Segwit:0.3(BIP148)/
35.154.110.140 from /Satoshi:0.14.1/UASF-Segwit:0.3(BIP148)/
34.209.234.16 from /Satoshi:0.14.1/UASF-Segwit:0.3(BIP148)/
54.250.162.133 from /Satoshi:0.14.1(UASF-SegWit-BIP148)/
54.171.65.204 from /Satoshi:0.14.1/UASF-Segwit:0.3(BIP148)/
54.93.250.167 from /Satoshi:0.14.1/UASF-Segwit:0.3(BIP148)/

[1715317891]

1715317891

[1715317891]

1715317891

[1715317891]

1715317891

[piotr_n]

How does bitcoin core discover own IP, which is then reported to new peers inside the version messages?

I think these days it's just by the value reported from the connected peers - is that right?

And then, if it has a wrong IP (of some malicious node), how could it affect the chance of other nodes to connect to that malicious one?

[piotr_n]

A few hours after I started this topic yesterday, the nodes stopped broadcasting bad IPs.
And for a few hours the network was all fine.

But now they are back, except that this time they introduce themselves as Bitcoin Unlimited or Classic.
It's really silly and I'm dying to find out how it's going to develop...

Is this caused by a brain tumor, drugs or maybe just not enough sleep?

Code:

54.201.14.113 from /BitcoinUnlimited:1.0.2(EB16; AD12)/
54.255.174.123 from /BitcoinUnlimited:1.0.2(EB16; AD12)/
54.206.13.36 from /BitcoinUnlimited:1.0.2(EB16; AD12)/
54.252.244.53 from /BitcoinUnlimited:1.0.2(EB16; AD12)/
54.67.126.145 from /Classic:1.2.5(EB6)/
52.79.224.60 from /BitcoinUnlimited:1.0.0.99(EB256; AD0)/
54.153.100.12 from /Classic:1.2.0(EB3.7)/
54.233.103.66 from /Classic:1.2.5(EB3.7)/
34.211.145.14 from /BitcoinUnlimited - https://btcpop.co:1.0.0.1(EB16; AD12)/
54.219.166.22 from /BitcoinUnlimited:1.0.1.1(EB0; AD12)/

[Coding Enthusiast]

This may be a strange question, or maybe because of my newbishness, but "How do you know it is a bitcoin node?"
I mean I can connect to any node that I have the IP to and successfully do a version handshake! And I am not even running a node, it is a simple Version <> Verack thing and you won't know unless you ask me for inventory

[piotr_n]

They seem to be an actual nodes, but whether they implement the entire protocol, or just the version handshake is irrelevant at this stage.

They still mess up with the local IP discovery mechanism used by the recent software.

These nodes seem to be getting advantage on how often they are connected to, as their "victims" advertise their IP as own.

[gmaxwell]

How does bitcoin core discover own IP, which is then reported to new peers inside the version messages?

I think these days it's just by the value reported from the connected peers - is that right?

And then, if it has a wrong IP (of some malicious node), how could it affect the chance of other nodes to connect to that malicious one?

It doesn't effect anything.  The only time those addresses are used is by by the peer when it generates an address broadcast message back to the specific peer that gave it that address.

I believe those same IPs were advertising classic for months before and XT before that.   I think many people have blocked them or even all of amazon from their node for a long time.

These nodes seem to be getting advantage on how often they are connected to, as their "victims" advertise their IP as own.

No such advantage.  You don't advertise that other nodes IP to anyone else except potentially that peer itself.

[piotr_n]

OK.
So I can't explain what was happening.
It stopped happening now, again.

But there was something odd about it.

I'm talking about maybe tens of nodes max doing this.
I have over 7000 nodes in my peers database - only ones that I've heard about during the last 2 hours.
What are the odds that when I start the node and it needs to choose 8 addresses to connect to, it gets 2, 3 or 4 of the ones that send the wrong IP?
And that's exactly what I was seeing when these nodes were alive - repeatedly, each time when I was starting my node.

Their IPs had to be advertised (via the addr messages) much more often and with some fresh timestamps.
It's the only explanation that I have.

[gmaxwell]

Their IPs had to be advertised (via the addr messages) much more often and with some fresh timestamps.
It's the only explanation that I have.

Sure but they can do that themselves.

What are the odds that when I start the node and it needs to choose 8 addresses to connect to, it gets 2, 3 or 4 of the ones that send the wrong IP?

Pretty good when they're half the reachable "nodes" out there....